H2O.ai H2O-3 Pre-Authentication Logic Flaw in Rapids Setproperty Allows Unauthenticated POJO Import and Execution of Arbitrary POJO Code

A critical pre-authentication logic flaw exists in H2O-3 versions prior to 7402. The vulnerability is in the Rapids setproperty primitive handler, specifically within the exec function of AstSetProperty.java. This flaw allows unauthenticated users to manipulate system properties across all cluster nodes via the POST /99/Rapids endpoint. The issue arises because the application exposes an internal debugging primitive that can bypass default security measures, particularly those related to importing Java POJOs, which is disabled by default due to associated security risks. Exploitation of this vulnerability can lead to unauthorized execution of Java code on the server, manipulation of runtime security properties, and potential cluster-wide abuse.

Impact

Exploitation allows an unauthenticated attacker to bypass POJO import restrictions, execute arbitrary Java code on the H2O-3 server, and tamper with security settings, leading to data compromise, service disruption, and further abuse across the cluster.

Reproduction

To reproduce this vulnerability, upload a malicious Java POJO source file and attempt to import it through the ModelBuilders generic endpoint, which will fail because POJO import is disabled by default. Then, call the POST /99/Rapids endpoint to enable POJO import by setting the appropriate system property. After re-enabling the import, the same POJO can be successfully imported, and its execution can be verified by checking the resulting changes in server-side properties.

Remediation

Remove or restrict public access to debugging primitives like setproperty through the POST /99/Rapids endpoint. Ensure that unauthenticated or low-privilege users cannot modify security-related properties. Make high-risk security switches immutable at runtime or configurable only at startup by administrators. Add authentication and authorization checks to the POJO import process, and require trusted signatures or prebuilt artifacts instead of allowing arbitrary Java source code to be uploaded and executed.